CVE-2024-31861

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which doesn't have Shell interpreter by default.

CVSS

No CVSS.

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/04/10/8
https://github.com/apache/zeppelin/pull/4708
https://lists.apache.org/thread/99clvqrht5l5r6kzjzwg2kj94boc9sfh

Configurations

No configuration.

History

01 May 2024, 18:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/04/10/8 -

11 Apr 2024, 12:47

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de control inadecuado de generación de código ("inyección de código") en Apache Zeppelin. Los atacantes pueden utilizar el intérprete Shell como puerta de enlace de generación de código y ejecutar el código generado de forma normal. Este problema afecta a Apache Zeppelin: desde 0.10.1 antes de 0.11.1. Se recomienda a los usuarios actualizar a la versión 0.11.1, que no tiene intérprete de Shell de forma predeterminada.

11 Apr 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-11 09:15

Updated : 2024-05-01 18:15

NVD link : CVE-2024-31861

Mitre link : CVE-2024-31861

CVE.ORG link : CVE-2024-31861

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

JSON object

Attach tags to CVE-2024-31861

Attach tags to `CVE-2024-31861`